Code:
BugCheck 1E, {0, 0, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiKernelCalloutExceptionHandler+e )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: 0000000000000000, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (Win32) 0 (0) - The operation completed successfully.
FAULTING_IP:
+6262613530613233
00000000`00000000 ?? ???
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000000
ERROR_CODE: (NTSTATUS) 0 - STATUS_WAIT_0
BUGCHECK_STR: 0x1E_0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: Wow.exe
CURRENT_IRQL: 2
EXCEPTION_RECORD: fffff880009b0558 -- (.exr 0xfffff880009b0558)
ExceptionAddress: fffff80003097611 (nt!KiTimerWaitTest+0x0000000000000171)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: ffffffffffffffff
Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000
TRAP_FRAME: fffff880009b0600 -- (.trap 0xfffff880009b0600)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000003 rbx=0000000000000000 rcx=fffffa800fb91800
rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003097611 rsp=fffff880009b0790 rbp=fffdfa800fb91828
r8=fffff88002fd9301 r9=0000000000000002 r10=0000000000000091
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
nt!KiTimerWaitTest+0x171:
fffff800`03097611 488b6d00 mov rbp,qword ptr [rbp] ss:0018:fffdfa80`0fb91828=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800030865fe to fffff8000308ec10
STACK_TEXT:
fffff880`009af638 fffff800`030865fe : 00000000`00000004 00000000`00000000 fffff880`009afdb0 fffff800`030ba830 : nt!KeBugCheck
fffff880`009af640 fffff800`030ba4fd : fffff800`0329871c fffff800`031d5c30 fffff800`03012000 fffff880`009b0558 : nt!KiKernelCalloutExceptionHandler+0xe
fffff880`009af670 fffff800`030b92d5 : fffff800`031d9028 fffff880`009af6e8 fffff880`009b0558 fffff800`03012000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`009af6a0 fffff800`030ca361 : fffff880`009b0558 fffff880`009afdb0 fffff880`00000000 fffffa80`0fb91820 : nt!RtlDispatchException+0x415
fffff880`009afd80 fffff800`0308e2c2 : fffff880`009b0558 fffffa80`0fb91828 fffff880`009b0600 00000000`00000000 : nt!KiDispatchException+0x135
fffff880`009b0420 fffff800`0308ca92 : 00000000`40d20088 00000000`00026cb4 fffffa80`0d919e98 fffff880`016805f7 : nt!KiExceptionDispatch+0xc2
fffff880`009b0600 fffff800`03097611 : fffff800`03204e80 fffffa80`0ce5cb60 fffff880`009b0830 00000000`00000001 : nt!KiStackFault+0x112
fffff880`009b0790 fffff800`0309a43d : fffffa80`0fb91820 fffffa80`0d22e980 fffffa80`0d22e980 00000000`00000102 : nt!KiTimerWaitTest+0x171
fffff880`009b0810 fffff800`0309a37e : 00000003`b72096e0 fffff880`009b0e88 00000000`00018f91 fffff880`02fda7a8 : nt!KiProcessExpiredTimerList+0x6d
fffff880`009b0e60 fffff800`0309a167 : fffff880`02fd71c1 fffff880`00018f91 00000000`00000000 00000000`00000091 : nt!KiTimerExpiration+0x1be
fffff880`009b0f00 fffff800`03091765 : 00000000`00000000 fffffa80`0f1ddb60 00000000`00000000 fffff800`03140760 : nt!KiRetireDpcList+0x277
fffff880`009b0fb0 fffff800`0309157c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KyRetireDpcList+0x5
fffff880`0a851da0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiKernelCalloutExceptionHandler+e
fffff800`030865fe 90 nop
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiKernelCalloutExceptionHandler+e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e
BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e
Followup: MachineOwner
---------
BugCheck 3B, {c0000005, fffff8800528f284, fffff8800a1fce00, 0}
Probably caused by : hardware ( dxgkrnl!COREACCESS::COREACCESS+d0 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8800528f284, Address of the instruction which caused the bugcheck
Arg3: fffff8800a1fce00, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
dxgkrnl!COREACCESS::COREACCESS+d0
fffff880`0528f284 ab stos dword ptr [rdi]
CONTEXT: fffff8800a1fce00 -- (.cxr 0xfffff8800a1fce00)
rax=00000000de453b39 rbx=fffff8800a1fd8b8 rcx=fffffa800e567c40
rdx=0000000000001102 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8800528f284 rsp=fffff8800a1fd7e8 rbp=fffff8800a1fdb60
r8=fffff8a00fb20000 r9=000000006e6f6017 r10=0000000000000ae4
r11=fffff8800a1fd900 r12=0000000000000000 r13=00000000044ffd20
r14=0000000000000003 r15=0000000073522450
iopl=0 nv up ei ng nz ac po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010297
dxgkrnl!COREACCESS::COREACCESS+0xd0:
fffff880`0528f284 ab stos dword ptr [rdi] ds:002b:00000000`00000000=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: Wow.exe
CURRENT_IRQL: 0
MISALIGNED_IP:
dxgkrnl!COREACCESS::COREACCESS+d0
fffff880`0528f284 ab stos dword ptr [rdi]
LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff8800528f284
STACK_TEXT:
fffff880`0a1fd7e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : dxgkrnl!COREACCESS::COREACCESS+0xd0
FOLLOWUP_IP:
dxgkrnl!COREACCESS::COREACCESS+d0
fffff880`0528f284 ab stos dword ptr [rdi]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: dxgkrnl!COREACCESS::COREACCESS+d0
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .cxr 0xfffff8800a1fce00 ; kb
MODULE_NAME: hardware
FAILURE_BUCKET_ID: X64_IP_MISALIGNED_dxgkrnl.sys
BUCKET_ID: X64_IP_MISALIGNED_dxgkrnl.sys
Followup: MachineOwner
---------
BugCheck F7, {fffff880f485e9d0, 338b634e08b0, ffffcc749cb1f74f, 0}
Probably caused by : ntkrnlmp.exe ( nt!_report_gsfailure+25 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: fffff880f485e9d0, Actual security check cookie from the stack
Arg2: 0000338b634e08b0, Expected security check cookie
Arg3: ffffcc749cb1f74f, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_MISSING_GSFRAME
SECURITY_COOKIE: Expected 0000338b634e08b0 found fffff880f485e9d0
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0xF7
PROCESS_NAME: Wow.exe
CURRENT_IRQL: 0
EXCEPTION_RECORD: fffff8800b74f798 -- (.exr 0xfffff8800b74f798)
ExceptionAddress: fffff80003091817 (nt!MmZeroPageThread+0x000000000000039a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000218ab8f10
Attempt to read from address 0000000218ab8f10
TRAP_FRAME: fffff8800b74f840 -- (.trap 0xfffff8800b74f840)
Unable to read trap frame at fffff880`0b74f840
LAST_CONTROL_TRANSFER: from fffff80003157e35 to fffff800030c9c40
STACK_TEXT:
fffff880`0b74e838 fffff800`03157e35 : 00000000`000000f7 fffff880`f485e9d0 0000338b`634e08b0 ffffcc74`9cb1f74f : nt!KeBugCheckEx
fffff880`0b74e840 fffff800`03119b47 : fffffa80`0e6fe480 fffff880`0492a070 fffff880`0b74eff0 fffff800`030f5830 : nt!_report_gsfailure+0x25
fffff880`0b74e880 fffff800`030f54fd : 00000000`0010001f fffff880`0b74eff0 fffff880`0b74f840 fffff880`0b74f798 : nt!_GSHandlerCheck+0x13
fffff880`0b74e8b0 fffff800`030f42d5 : fffff800`0320edd0 fffff880`0b74e928 fffff880`0b74f798 fffff800`0304d000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`0b74e8e0 fffff800`03105361 : fffff880`0b74f798 fffff880`0b74eff0 fffff880`00000000 fffffa80`0d6ab060 : nt!RtlDispatchException+0x415
fffff880`0b74efc0 fffff800`030c92c2 : fffff880`0b74f798 00000000`00000000 fffff880`0b74f840 00000002`18ab8f00 : nt!KiDispatchException+0x135
fffff880`0b74f660 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!_report_gsfailure+25
fffff800`03157e35 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!_report_gsfailure+25
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0xF7_MISSING_GSFRAME_nt!_report_gsfailure+25
BUCKET_ID: X64_0xF7_MISSING_GSFRAME_nt!_report_gsfailure+25
Followup: MachineOwner
---------
BugCheck D5, {fffff980016c0d60, 0, fffff88006d883fa, 0}
Unable to load image \SystemRoot\system32\drivers\RTKVHD64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RTKVHD64.sys
*** ERROR: Module load completed but symbols could not be loaded for RTKVHD64.sys
Could not read faulting driver name
Probably caused by : RTKVHD64.sys ( RTKVHD64+f83fa )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff980016c0d60, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff88006d883fa, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000330c100
fffff980016c0d60
FAULTING_IP:
RTKVHD64+f83fa
fffff880`06d883fa 8b4630 mov eax,dword ptr [rsi+30h]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD5
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff88003d9b160 -- (.trap 0xfffff88003d9b160)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88003d9b388
rdx=fffff88003d9b2f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88006d883fa rsp=fffff88003d9b2f0 rbp=0000000000000002
r8=0000000000000000 r9=fffff88006d883fa r10=0000000000000100
r11=fffff88002f65180 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
RTKVHD64+0xf83fa:
fffff880`06d883fa 8b4630 mov eax,dword ptr [rsi+30h] ds:5180:00000000`00000030=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800030859fc to fffff800030d9c40
STACK_TEXT:
fffff880`03d9aff8 fffff800`030859fc : 00000000`00000050 fffff980`016c0d60 00000000`00000000 fffff880`03d9b160 : nt!KeBugCheckEx
fffff880`03d9b000 fffff800`030d7d6e : 00000000`00000000 fffff980`016c0d60 fffffa80`10166000 fffff8a0`02376120 : nt! ?? ::FNODOBFM::`string'+0x4611f
fffff880`03d9b160 fffff880`06d883fa : fffff880`03d9b388 00000000`00000000 fffff8a0`02376120 fffffa80`0fdd4a90 : nt!KiPageFault+0x16e
fffff880`03d9b2f0 fffff880`03d9b388 : 00000000`00000000 fffff8a0`02376120 fffffa80`0fdd4a90 00000000`00000000 : RTKVHD64+0xf83fa
fffff880`03d9b2f8 00000000`00000000 : fffff8a0`02376120 fffffa80`0fdd4a90 00000000`00000000 fffff800`00000000 : 0xfffff880`03d9b388
STACK_COMMAND: kb
FOLLOWUP_IP:
RTKVHD64+f83fa
fffff880`06d883fa 8b4630 mov eax,dword ptr [rsi+30h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: RTKVHD64+f83fa
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: RTKVHD64
IMAGE_NAME: RTKVHD64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4e2e8738
FAILURE_BUCKET_ID: X64_0xD5_VRF_RTKVHD64+f83fa
BUCKET_ID: X64_0xD5_VRF_RTKVHD64+f83fa
Followup: MachineOwner
---------
BugCheck C9, {7, fffff88007d3ea10, fffff9805515aee0, 0}
Unable to load image \??\C:\Program Files\PeerBlock\pbfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for pbfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for pbfilter.sys
Probably caused by : pbfilter.sys ( pbfilter+2a10 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 0000000000000007, IRP passed to IoCompleteRequest still has cancel routine set
Arg2: fffff88007d3ea10, the cancel routine pointer
Arg3: fffff9805515aee0, the IRP
Arg4: 0000000000000000
Debugging Details:
------------------
BUGCHECK_STR: 0xc9_7
DRIVER_VERIFIER_IO_VIOLATION_TYPE: 7
IRP_CANCEL_ROUTINE:
pbfilter+2a10
fffff880`07d3ea10 48895c2408 mov qword ptr [rsp+8],rbx
FAULTING_IP:
pbfilter+2a10
fffff880`07d3ea10 48895c2408 mov qword ptr [rsp+8],rbx
FOLLOWUP_IP:
pbfilter+2a10
fffff880`07d3ea10 48895c2408 mov qword ptr [rsp+8],rbx
IRP_ADDRESS: fffff9805515aee0
DEVICE_OBJECT: fffffa800e2c0cc0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff8000357f072 to fffff800030dfc40
STACK_TEXT:
fffff880`080890e8 fffff800`0357f072 : 00000000`000000c9 00000000`00000007 fffff880`07d3ea10 fffff980`5515aee0 : nt!KeBugCheckEx
fffff880`080890f0 fffff880`07d3e9ea : 00000000`000033d8 00000000`00000000 fffffa80`0e2c0e10 fffff980`5515aee0 : nt!IovCompleteRequest+0x72
fffff880`080891c0 00000000`000033d8 : 00000000`00000000 fffffa80`0e2c0e10 fffff980`5515aee0 00000000`00000011 : pbfilter+0x29ea
fffff880`080891c8 00000000`00000000 : fffffa80`0e2c0e10 fffff980`5515aee0 00000000`00000011 00000000`0101a8c0 : 0x33d8
STACK_COMMAND: .bugcheck ; kb
SYMBOL_NAME: pbfilter+2a10
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pbfilter
IMAGE_NAME: pbfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4cd60dba
FAILURE_BUCKET_ID: X64_0xc9_7_VRF_pbfilter+2a10
BUCKET_ID: X64_0xc9_7_VRF_pbfilter+2a10
Followup: MachineOwner
---------